The personal computer provides a platform on which anyone willing to invest the effort in programming can write programs that can carry out almost any desired function, limited only by the constraints of the programming language, the operating environment, and the hardware on which the program is executed. The manufacturers of personal computers and those providing the operating systems and programming tools place little restriction on how a user chooses to use their respective products. However, there are instances where it may be important to restrict how computing devices are used. In the broadest sense, a computing device may be any device that includes a processor that executes program code stored in a memory to perform some function. Thus, a computing device can have a dedicated function, or may be very general in functionality, just as a typical personal computer is. As used herein, the terms “code,” “program code,” and “control code” refer to a set of instructions that are executed by a machine, such as a processor of a computing device.
One type of computing device that is similar in some ways to a personal computer, yet is more specialized in its primary function, is a multimedia console. Although multimedia consoles can often perform other functions, their primary function is to execute machine instructions, or program code, to enable one or more users to play various types of multimedia, such as video, audio, and games. The companies that produce multimedia consoles have a substantial interest in controlling various aspects of any multimedia software that is executed on their consoles. For example, they will want to ensure that the quality of the multimedia software meets certain specifications. Since the manufacturers of multimedia consoles typically license other companies to produce multimedia software that is usable on their multimedia consoles, it is preferable to preclude unlicensed software from being used on the console. Aside from the loss of revenue that would result if unlicensed software is played on a multimedia console, there is also an issue of maintaining quality control over software that is played on the multimedia console. Also, it will be important to ensure that software licensed for use on a multimedia console has not been modified after it was approved for distribution and released to the public. Without such controls being applied, multimedia software might be “hacked” to circumvent licensing restrictions or to add features or functionality that were not included in the authorized software when it was originally approved for distribution by the software company under license from the maker of the multimedia console.
In one class of multimedia consoles, referred to as game consoles, hardware-related techniques have been used in the past for authenticating software plug-in cartridges used to store game software. For example, in some game consoles, the housing of authorized software game cartridges and a corresponding receptacle in the game console are formed to prevent cartridges of a different shape from being inserted into the receptacle. In addition, some game cartridges include a processor and a read only memory (ROM) that stores specific data needed to authenticate the cartridge. If the result of a calculation carried out by both the processor in the game console and the processor in the cartridge do not match, the game console will not enable the software for the game stored in the cartridge to execute on the game console.
Because of the richness of the graphics and the complexity of games and multimedia content designed to run on current generation multimedia consoles, the multimedia software is more efficiently distributed on optical storage media, such as compact disc-read only memory discs (CDROMs) or digital versatile discs (DVDs). Accordingly, alternative approaches that do not rely upon the physical shape of the medium on which the multimedia software resides must be employed. Details of how other multimedia console manufacturers have chosen to address this problem are not readily available. Clearly, systems and methods for determining whether software distributed on these media is properly signed and has not been modified or altered are desirable.
Many processors used in various computing devices provide support for assigning different levels of “privilege” to different executable program code within a computer system as a form of security against unauthorized execution of program code. Program code can include source code written in a high level programming language, assembly language, or machine-language, and the code can be executed in compiled form or via interpretation. With processors that support different privilege levels, some program code may be permitted to execute on the processor at a higher privilege level than other code. Generally, program code that executes at a “higher” privilege level will have greater access to certain parts of the instruction set of the processor and to other hardware resources of the computing device.
A privilege level, sometimes also referred to as a “ring,” can be thought of as a logical division of hardware and software within a computing device. A privilege level (or ring) typically determines the total range or ranges of memory that executing program code can access as well as the range of instructions within the total instruction set of a processor that can be executed by the processor on behalf of that program code. An attempt by certain program code to access a memory range or a processor instruction outside of its privilege level typically will result in a processor fault. Program code afforded a higher privilege level (or ring) typically has privileges inclusive of that of other program code afforded a lower privilege level (or ring). Some processors support just two privilege levels, while others provide support for three, four, or more privilege levels.
For example, the architecture of the x86 series of processors manufactured by Intel Corporation provide four privilege levels, which range from “Ring 0,” the highest privilege level, to “Ring 3,” the lowest privilege level. Program code assigned to a particular privilege level can only access data and other programs which are assigned to the same or a lower privilege level. Thus, program code assigned to “Ring 2” can invoke (i.e., call) other program code assigned to Ring 2 as well as program code assigned to Ring 3, but it can not make a direct call to program code at either Ring 1 or Ring 0. As another example, the PowerPC® microprocessor architecture developed jointly by IBM Corporation, Motorola, Inc. and Apple Computer, Inc. supports three privilege levels referred to as the hypervisor mode (highest level), supervisor mode, and user mode (lowest level).
Generally, the current privilege level at which a processor executes certain program code is established by setting an appropriate bit or combination of bits in a hardware register within the processor. The details of the privileges provided at each level are implementation dependent, and not essential to the understanding of the present invention.
The privilege level concept is most often used to prevent full access to computing resources by application programs. Typically, an operating system developer will assign the highest privilege level to certain key portions of the operating system, such as the operating system kernel, but will relegate other operating system services and application programs to lower privilege levels. In order to obtain services that employ resources not directly available to application programs, application programs need to call operating system routines through the operating system interface. Those operating system routines can then promote the current privilege level of the processor to the higher privilege level in order to access the necessary resources, carry out the task requested by the application program, and then return control to the application program while simultaneously demoting the privilege level of the processor back to the lower level. Privilege levels can also be used to prevent the processor from executing certain privileged instructions on behalf of an application program. For example, instructions that alter the contents of certain registers in the processor may be privileged, and may be executed by the processor only on behalf of an operating system routine running at the highest privilege level. Generally, restricted instructions include instructions that manipulate the contents of control registers, such as the registers of a memory management unit, and special operating system data structures.
Another mechanism that many processors employ to provide security against unauthorized use of digital data or program code in a computing device is the ability to grant different access permissions to different locations of the memory of the computing device. Access permissions are sometimes also provided to ranges of memory locations, such as a “page” of memory in a system that supports allocation of memory “pages,” either in real memory or virtual memory. For example, real or virtual memory may be divided into pages of a fixed size, such as 4 kilobytes.
Many processors support several types of memory access permissions that can be applied to a given location or a given page of memory, such as READ, WRITE, and EXECUTE permissions. Different combinations of these permission can be applied to a given location or page of memory to effect a desired level of protection. For example, a page of memory assigned only the READ permission will be read-only, whereas a page of memory assigned both the READ and WRITE permissions will permit both read and write access to the page (i.e., “read/write” access). A page or portion of memory assigned the WRITE permission is said to be “writable.” A memory page having the EXECUTE permission (which can be combined with the READ and WRITE permissions) can be used for the purpose of enabling any program code stored in the memory page to be executed. That is, program code stored in such a memory page has permission to be executed by the processor; the memory page is said to be “executable.” Typically, a table is maintained by the processor that indicates the various access permissions assigned to any memory locations that have been allocated to the operating system or an application program.
While the concepts of privilege levels and memory access permissions are useful in placing some restrictions on data and program code within a computing device, neither one of those concepts alone is sufficient to ensure that only properly signed code is executed by a processor and that such program code has not been modified or altered. Systems and methods for ensuring that only properly signed program code is executed on a processor and that such program code has not been modified or altered continue to be desirable. The present invention addresses this need.